Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.
Specification
The specification filed on September 22, 2023 is accepted. The title of the invention is not descriptive. A new title is required that is clearly indicative of the invention to which the claims are directed.
System and method for monitoring electronic control unit (ECU) of vehicles with increased security.
Drawings
The drawings filed on September 22, 2023 are accepted.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 01/11/2024 and 12/06/2024 was filed after the mailing date of the application 18/517128. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
CLAIM INTERPRETATION
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: a monitoring system, a monitoring device and a reliability manager in claims 1, 11 and 17 and a function restrictor in claims 4, 10 and 11.
Claim limitation(s) : “a monitoring system”, “a monitoring device”, “a reliability manager” and “a function restrictor” gives their broadest reasonable interpretation of the claim elements with a limited description in the specification. The examiner notes that these elements lie within a vehicle and/or a server see spec [page 11 line 15-20]. Accordingly claims 1, 4, 10, 11 and 17 invoke 35 U.S.C. 112 (f) or sixth paragraph, but the corresponding structure is described.
Because these claim limitation(s) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1 and 3-17 are rejected under 35 U.S.C. 103 as being unpatentable over HAREL et al (hereinafter HAREL) (US 20230275877) in view of GALULA et al (hereinafter GALULA) (US 20200216097).
Regarding claim 1 HAREL teaches a monitoring system for monitoring a vehicle or an integrated electronic control unit (ECU) in which functions of a plurality of ECUs are integrated and that operates inside the vehicle (HAREL on [0011 and 0087] teaches system and method for monitoring ECUs in vehicle to protect against cyber security attack. See also on [0123] teaches system that monitors all traffic to and from the ECUs);
the integrated ECU being capable of operating a plurality of virtual machines, each of the plurality of virtual machines including a function of at least one ECU among functions of the plurality of ECUs (HAREL on [0023, 0115, 0119, 0123] teaches ECU operating plurality of virtual machine. See on [0104-0107] teaches the virtual machine 306, being a honeypot, may be configured with security and monitoring features so that, when a malicious attack is performed on the virtual machine 306, that attack is trapped or “sandboxed” within the virtual machine 306. Operations of the attack such as system calls, network communication, and the like can be recorded by the virtual machine 306. i.e., virtual machine with function of ECUs);
wherein the monitoring system comprises a reliability manager that handles one of the plurality of virtual machines as a first monitoring target for monitoring the functions of the plurality of ECUs (HAREL on [0088-0090] teaches an attack analyzer 106 can be configured to monitor the malicious attacks 102 on the trap-images 104 and record information about the attacks. The trap images 104 are images of software of ECUs that are to be hardened. See on [0104-0107] the virtual machine 306, being a honeypot, may be configured with security and monitoring features so that, when a malicious attack is performed on the virtual machine 306, that attack is trapped or “sandboxed” within the virtual machine 306. Operations of the attack such as system calls, network communication, and the like can be recorded by the virtual machine 306. i.e., virtual machine with function of ECUs. Further teaches an attack on the library 308 may attempt to use a buffer-overrun exploit to initiate execution of arbitrary code within the virtual machine 306. When this attack is attempted (whether successful or unsuccessful) the virtual machine 306 can record actions taken. In some cases, elements of the virtual machine are inaccessible to the environment in which the libraries 308 execute, and one or more supervisors in those elements monitor the actions in the environment. See on [0123] teaches the trap image server system 204 can monitor all network traffic to and from the ECUs. See on [0130 and 0135] teaches the hosting system can monitor network traffic and the state of the VM for events that match a rule-set of states indicative of a malicious attack);
and manages first reliability indicating a security protection state of the first monitoring target, the first reliability being a variable capable of taking at least two levels each of which indicates a degree of the security protection state of the first monitoring target (HAREL on [0174] teaches confidence value or metric that indicates a variable level of certainty that the information about a particular sign, road, restriction, limit, location, or other attribute or object is accurate. See on [0179 and 0192-0194] teaches , a newly added landmark may be given a low confidence level, such as 1%, 5%, or 10%, to prevent the information from being used to alter vehicular behavior until the landmark can be confirmed and high confidence level. i.e., at least two levels low and high indicating degree of security protection);
and the monitoring system: performs integrity check security protection state indicated by the first reliability when the integrity check has not been successfully completed (HAREL on [0180-0181] teaches If at 1140 the database query indicates that data or a record exists for the driving assistance information, then at 1160 another determination is made. If information from the database and the information extracted from the sensor data are substantially the same, then the confidence level associated with the existing database information is increased. Further teaches If, at 1140, the information from the database and the information extracted from the sensor data are not substantially the same, then the confidence level associated with the existing database information is decreased at 1170. For example, the 70% confidence level associated with the accuracy of the speed limit of the road near the landmark 860a can be reduced to 69%, 68%, 60%, or any other appropriate decreased value);
and changes the current level among the at least two levels to diminish the degree of the security protection state indicated by the first reliability after an elapse of predetermined time from time at which the integrity check has been performed (HAREL on [0180-0181] teaches If at 1140 the database query indicates that data or a record exists for the driving assistance information, then at 1160 another determination is made. If information from the database and the information extracted from the sensor data are substantially the same, then the confidence level associated with the existing database information is increased. Further teaches If, at 1140, the information from the database and the information extracted from the sensor data are not substantially the same, then the confidence level associated with the existing database information is decreased at 1170. For example, the 70% confidence level associated with the accuracy of the speed limit of the road near the landmark 860a can be reduced to 69%, 68%, 60%, or any other appropriate decreased value i.e., since confidence level is decreased after integrity check is made therefore ‘predetermined time’ is implied).
Although HAREL teaches performing integrity check, but fails to explicitly teach performing integrity check of software, however GALULA from analogous art teaches
and the monitoring system: performs integrity check of software of the first monitoring target (GALULA on [0086-0088] teaches if an embodiment fails to authenticate executable code then it may be assumed an attack is in progress or was identified and high confidence level or value may be associated with the event or detection, e.g., causing embodiments to take preventive measures as described. However, if minor deviation from an expected behavior or flow is detected then a low confidence level may be associated with the detection, e.g., causing an embodiment to only report the detection).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of GALULA into the teaching of HAREL by performing integrity check of software. One would be motivated to do so in order to detect and prevent of exploitation of components connected to an in-vehicle network (GALULA [0001]).
Regarding claim 3 the combination of HAREL and GALULA teaches all the limitations of claim 1 above HAREL further teaches wherein the plurality of virtual machines that are capable of being operated by the integrated ECU operate on a hypervisor, and the monitoring system further monitors the hypervisor (HAREL on [0121-0123] teaches when an image is being serviced, a hypervisor of the image can be used for these types of tasks. This may be beneficial as a hypervisor can be made more difficult than native code to detect by malicious actors. On real ECUs, sensor software can be added to ECU software, and on images the sensors can be included, for example, in hypervisors).
Regarding claim 4 the combination of HAREL and GALULA teaches all the limitations of claim 1 above HAREL further teaches further comprising: a function restrictor that places a restriction on at least a part of functions of the first monitoring target according to the first reliability (HAREL on [0179] teaches a newly added landmark may be given a low confidence level, such as 1%, 5%, or 10%, to prevent the information from being used to alter vehicular behavior until the landmark can be confirmed).
Regarding claim 5 the combination of HAREL and GALULA teaches all the limitations of claim 1 above HAREL further teaches wherein the monitoring system causes the first monitoring target to perform reboot (GALULA on [0047 and 0055] teaches if verification, authentication or validation of executable code fails, a system may take preventative actions, e.g., kill or stop execution of the relevant process (violating process), reboot a system, revert to a known state of a system).
Regarding claim 6 the combination of HAREL and GALULA teaches all the limitations of claim 5 above HAREL further teaches wherein the monitoring system changes the current level among the at least two levels to increase the degree of the security protection state indicated by the first reliability or change the first reliability to an initial value (HAREL on [0180-0181] teaches If at 1140 the database query indicates that data or a record exists for the driving assistance information, then at 1160 another determination is made. If information from the database and the information extracted from the sensor data are substantially the same, then the confidence level associated with the existing database information is increased. Further teaches If, at 1140, the information from the database and the information extracted from the sensor data are not substantially the same, then the confidence level associated with the existing database information is decreased at 1170. For example, the 70% confidence level associated with the accuracy of the speed limit of the road near the landmark 860a can be reduced to 69%, 68%, 60%, or any other appropriate decreased value).
GALULA teaches (GALULA on [0047 and 0055] teaches if verification, authentication or validation of executable code fails, a system may take preventative actions, e.g., kill or stop execution of the relevant process (violating process), reboot a system, revert to a known state of a system).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of GALULA into the teaching of HAREL by performing integrity check of software. One would be motivated to do so in order to detect and prevent of exploitation of components connected to an in-vehicle network (GALULA [0001]).
Regarding claim 7 the combination of HAREL and GALULA teaches all the limitations of claim 5 above HAREL further teaches wherein the monitoring system determines whether the first reliability of the first monitoring target is less than a threshold value, and causes the first monitoring target to execute the reboot when the first reliability is less than the threshold value (HAREL on [0193] teaches if at 1250, the confidence level does not satisfy the predetermined threshold, then at 1280 the driving assistance (e.g., sign or landmark) information is not provided as part of the road information. For example, if the confidence associated with the information 880a is low enough (e.g., below the threshold) then the landmark (e.g., the misidentified “zombie x-ing” t-shirt) may not be treated as being “real” and therefore unnecessary to obey. See on [0195] teaches if the confidence level of the particular driving assistance information (e.g., sign or other landmark) fails to satisfy the predetermined removal threshold, then the information about the landmark is removed from the database)
Regarding claim 8 the combination of HAREL and GALULA teaches all the limitations of claim 4 above GALULA further teaches wherein the restriction on the at least the part of the functions of the first monitoring target according to the first reliability of the first monitoring target includes suspending an access right to access a particular resource by the first monitoring target (GALULA on [0097] teaches the system may limit access to specific diagnostic services based on its security policy. For example, the system may limit access to specific services based on the level of security access of the system and/or based on vehicle state. In some embodiments, the level of security access of the system may be changed by establishing a secure connection with the system, for example using a cryptographic handshake and/or a security token).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of GALULA into the teaching of HAREL by performing integrity check of software and suspending access right. One would be motivated to do so in order to detect and prevent of exploitation of components connected to an in-vehicle network (GALULA [0001]).
Regarding claim 9 the combination of HAREL and GALULA teaches all the limitations of claim 8 above GALULA further teaches wherein the restriction on the at least the part of the functions according to the first reliability of the first monitoring target includes suspending a communication function of the first monitoring target (GALULA on [0054-0055] teaches when security layer 210 identifies or detects a dirty, unexpected or suspicious operation or event, security layer 210 kills (e.g. terminates execution of) a process and/or reverts a component or system to a known or predefined state. See on [0047, and 0052-0053] teaches preventive action may be performed upon failure to verify, authenticate or validate executable, e.g., security layer 210 may, upon failure as described, disable a component connected to an in-vehicle network, activate a component connected to the network, block a message, delay a message, limit a frequency of a message type, log a message and/or generate an alert).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of GALULA into the teaching of HAREL by performing integrity check of software and suspending access right. One would be motivated to do so in order to detect and prevent of exploitation of components connected to an in-vehicle network (GALULA [0001]).
Regarding claim 10 the combination of HAREL and GALULA teaches all the limitations of claim 4 above GALULA further teaches wherein the restriction on the at least the part of the functions of the first monitoring target according to the first reliability of the first monitoring target includes suspending a communication function of the first monitoring target, and in a case where the first monitoring target tries to communicate with a communication target, the function restrictor forbids the first monitoring target from communicating with the communication target when the first reliability is less than the threshold value (GALULA on [0054-0055] teaches when security layer 210 identifies or detects a dirty, unexpected or suspicious operation or event, security layer 210 kills (e.g. terminates execution of) a process and/or reverts a component or system to a known or predefined state. See on [0047, and 0052-0053] teaches preventive action may be performed upon failure to verify, authenticate or validate executable, e.g., security layer 210 may, upon failure as described, disable a component connected to an in-vehicle network, activate a component connected to the network, block a message, delay a message, limit a frequency of a message type, log a message and/or generate an alert. See on [0073] teaches any policy, rules, criteria or thresholds may be used by heuristic engine 230 to identify or detect an anomalous or suspicious behavior).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of GALULA into the teaching of HAREL by performing integrity check of software and suspending access right. One would be motivated to do so in order to detect and prevent of exploitation of components connected to an in-vehicle network (GALULA [0001]).
Regarding claim 11 the combination of HAREL and GALULA teaches all the limitations of claim 9 above HAREL further teaches wherein the monitoring system further handles, as a second monitoring target, one virtual machine other than the first monitoring target among the plurality of virtual machines, the reliability manager further manages second reliability indicating a security protection state of the second monitoring target (HAREL on [0017 and 0108] teaches in a first time: host one or more first virtual machines, each of the virtual machines comprising one or more first libraries identified by specifications for an electronic control unit (ECU); expose the first virtual machines to a data network such that malicious attacks against the first virtual machines are possible over the data network; generate first records of the malicious attacks against the first virtual machines; in a second time after the first time: host one or more second virtual machines, each of the second virtual machines comprising an ECU image that comprise second libraries; expose the second virtual machines to the data network such that malicious attacks against the second virtual machines are possible over the data network; and generate second records of the malicious attacks against the second virtual machines. See on [0119] teaches the ECU image can be used in a virtual machine that emulates an ECU. Malicious attacks on the virtual machine can be observed and logged.)
GALULA teaches and in a case where the first monitoring target and the second monitoring target try to communicate with each other, the function restrictor forbids the first monitoring target and the second monitoring target from communicating with each other when at least one of the first reliability or the second reliability is less than the threshold value (GALULA on [0054-0055] teaches when security layer 210 identifies or detects a dirty, unexpected or suspicious operation or event, security layer 210 kills (e.g. terminates execution of) a process and/or reverts a component or system to a known or predefined state. See on [0047, and 0052-0053] teaches preventive action may be performed upon failure to verify, authenticate or validate executable, e.g., security layer 210 may, upon failure as described, disable a component connected to an in-vehicle network, activate a component connected to the network, block a message, delay a message, limit a frequency of a message type, log a message and/or generate an alert. See on [0073] teaches any policy, rules, criteria or thresholds may be used by heuristic engine 230 to identify or detect an anomalous or suspicious behavior).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of GALULA into the teaching of HAREL by performing integrity check of software and suspending access right. One would be motivated to do so in order to detect and prevent of exploitation of components connected to an in-vehicle network (GALULA [0001]).
Regarding claim 12 the combination of HAREL and GALULA teaches all the limitations of claim 4 above GALULA further teaches wherein the restriction on the at least the part of the functions according to the first reliability of the first monitoring target includes suspending an operation of the first monitoring target (GALULA on [0054-0055] teaches when security layer 210 identifies or detects a dirty, unexpected or suspicious operation or event, security layer 210 kills (e.g. terminates execution of) a process and/or reverts a component or system to a known or predefined state. See on [0047, and 0052-0053] teaches preventive action may be performed upon failure to verify, authenticate or validate executable, e.g., security layer 210 may, upon failure as described, disable a component connected to an in-vehicle network, activate a component connected to the network, block a message, delay a message, limit a frequency of a message type, log a message and/or generate an alert).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of GALULA into the teaching of HAREL by performing integrity check of software and suspending access right. One would be motivated to do so in order to detect and prevent of exploitation of components connected to an in-vehicle network (GALULA [0001]).
Regarding claim 13 the combination of HAREL and GALULA teaches all the limitations of claim 1 above GALULA further teaches further comprising: a display unit that displays the first monitoring target and the first reliability together (GALULA on [0075] teaches an off-board detection system may also allow a security analyst to filter events from a display or presentation of the data, e.g., events may be presented in sorted lists and filters may be used to remove some events from presented lists such that only events or interest).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of GALULA into the teaching of HAREL by performing integrity check of software and suspending access right. One would be motivated to do so in order to detect and prevent of exploitation of components connected to an in-vehicle network (GALULA [0001]).
Regarding claim 14 the combination of HAREL and GALULA teaches all the limitations of claim 4 above HAREL further teaches wherein the reliability manager and the function restrictor are mounted in the vehicle (HAREL Fig 1 and text on [0086-0092] teaches attack analyzer associated with vehicle. See on [0157-0163] teaches collection of vehicles 850a-850c are in communication with the server 105. Each of the vehicles 850a-850c is equipped with sensors and processors that can sense the presence and location of various landmarks in the surrounding environment. Such sensors will be discussed further in the description of FIG. 9. As the vehicles 850a-850c moves through its environment (e.g., road), they detect the presence or absence of nearby road status information, such as road signs and other roadside landmarks).
Regarding claim 15 the combination of HAREL and GALULA teaches all the limitations of claim 4 above HAREL further teaches wherein the monitoring system includes a server that is communicatively connected to the vehicle, and at least one of the reliability manager or the function restrictor is implemented in the server (HAREL Fig 2 and text on [0020, 0157 and 0095-0098] teaches server coupled to vehicle).
Regarding claim 16 HAREL teaches a monitoring method for monitoring a vehicle or an integrated electronic control unit (ECU) in which functions of a plurality of ECUs are integrated and that operates inside the vehicle (HAREL on [0011 and 0087] teaches system and method for monitoring ECUs in vehicle to protect against cyber security attack. See also on [0123] teaches system that monitors all traffic to and from the ECUs);
the integrated ECU being capable of operating a plurality of virtual machines, each of the plurality of virtual machines including a function of at least one ECU among functions of the plurality of ECUs (HAREL on [0023, 0115, 0119, 0123] teaches ECU operating plurality of virtual machine. See on [0104-0107] teaches the virtual machine 306, being a honeypot, may be configured with security and monitoring features so that, when a malicious attack is performed on the virtual machine 306, that attack is trapped or “sandboxed” within the virtual machine 306. Operations of the attack such as system calls, network communication, and the like can be recorded by the virtual machine 306. i.e., virtual machine with function of ECUs);
wherein the monitoring method comprises reliability managing that handles one of the plurality of virtual machines as a monitoring target for monitoring the functions of the plurality of ECUs (HAREL on [0088-0090] teaches an attack analyzer 106 can be configured to monitor the malicious attacks 102 on the trap-images 104 and record information about the attacks. The trap images 104 are images of software of ECUs that are to be hardened. See on [0104-0107] the virtual machine 306, being a honeypot, may be configured with security and monitoring features so that, when a malicious attack is performed on the virtual machine 306, that attack is trapped or “sandboxed” within the virtual machine 306. Operations of the attack such as system calls, network communication, and the like can be recorded by the virtual machine 306. i.e., virtual machine with function of ECUs. Further teaches an attack on the library 308 may attempt to use a buffer-overrun exploit to initiate execution of arbitrary code within the virtual machine 306. When this attack is attempted (whether successful or unsuccessful) the virtual machine 306 can record actions taken. In some cases, elements of the virtual machine are inaccessible to the environment in which the libraries 308 execute, and one or more supervisors in those elements monitor the actions in the environment. See on [0123] teaches the trap image server system 204 can monitor all network traffic to and from the ECUs. See on [0130 and 0135] teaches the hosting system can monitor network traffic and the state of the VM for events that match a rule-set of states indicative of a malicious attack);
and managing reliability indicating a security protection state of the monitoring target, the reliability being a variable capable of taking at least two levels each of which indicates a degree of the security protection state of the monitoring target, and the monitoring method comprises: (HAREL on [0174] teaches confidence value or metric that indicates a variable level of certainty that the information about a particular sign, road, restriction, limit, location, or other attribute or object is accurate. See on [0179 and 0192-0194] teaches , a newly added landmark may be given a low confidence level, such as 1%, 5%, or 10%, to prevent the information from being used to alter vehicular behavior until the landmark can be confirmed and high confidence level. i.e., at least two levels low and high indicating degree of security protection);
performing integrity check current level among the at least two levels to diminish the degree of the security protection state indicated by the reliability when the integrity check has not been successfully completed (HAREL on [0180-0181] teaches If at 1140 the database query indicates that data or a record exists for the driving assistance information, then at 1160 another determination is made. If information from the database and the information extracted from the sensor data are substantially the same, then the confidence level associated with the existing database information is increased. Further teaches If, at 1140, the information from the database and the information extracted from the sensor data are not substantially the same, then the confidence level associated with the existing database information is decreased at 1170. For example, the 70% confidence level associated with the accuracy of the speed limit of the road near the landmark 860a can be reduced to 69%, 68%, 60%, or any other appropriate decreased value);
and changing the current level among the at least two levels to diminish the degree of the security protection state indicated by the reliability after an elapse of predetermined time from time at which the integrity check has been performed (HAREL on [0180-0181] teaches If at 1140 the database query indicates that data or a record exists for the driving assistance information, then at 1160 another determination is made. If information from the database and the information extracted from the sensor data are substantially the same, then the confidence level associated with the existing database information is increased. Further teaches If, at 1140, the information from the database and the information extracted from the sensor data are not substantially the same, then the confidence level associated with the existing database information is decreased at 1170. For example, the 70% confidence level associated with the accuracy of the speed limit of the road near the landmark 860a can be reduced to 69%, 68%, 60%, or any other appropriate decreased value i.e., since confidence level is decreased after integrity check is made therefore ‘predetermined time’ is implied).
Although HAREL teaches performing integrity check, but fails to explicitly teach performing integrity check of software, however GALULA from analogous art teaches
and the monitoring system: performs integrity check of software of the first monitoring target (GALULA on [0086-0088] teaches if an embodiment fails to authenticate executable code then it may be assumed an attack is in progress or was identified and high confidence level or value may be associated with the event or detection, e.g., causing embodiments to take preventive measures as described. However, if minor deviation from an expected behavior or flow is detected then a low confidence level may be associated with the detection, e.g., causing an embodiment to only report the detection).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of GALULA into the teaching of HAREL by performing integrity check of software. One would be motivated to do so in order to detect and prevent of exploitation of components connected to an in-vehicle network (GALULA [0001]).
Regarding claim 17 HAREL teaches a monitoring device for monitoring a vehicle or an integrated electronic control unit (ECU) in which functions of a plurality of ECUs are integrated and that operates inside the vehicle (HAREL on [0011 and 0087] teaches system and method for monitoring ECUs in vehicle to protect against cyber security attack. See also on [0123] teaches system that monitors all traffic to and from the ECUs);
the integrated ECU being capable of operating a plurality of virtual machines, each of the plurality of virtual machines including a function of at least one ECU among functions of the plurality of ECUs (HAREL on [0023, 0115, 0119, 0123] teaches ECU operating plurality of virtual machine. See on [0104-0107] teaches the virtual machine 306, being a honeypot, may be configured with security and monitoring features so that, when a malicious attack is performed on the virtual machine 306, that attack is trapped or “sandboxed” within the virtual machine 306. Operations of the attack such as system calls, network communication, and the like can be recorded by the virtual machine 306. i.e., virtual machine with function of ECUs);
wherein the monitoring device comprises a reliability manager that handles one of the plurality of virtual machines as a first monitoring target for monitoring the functions of the plurality of ECUs (HAREL on [0088-0090] teaches an attack analyzer 106 can be configured to monitor the malicious attacks 102 on the trap-images 104 and record information about the attacks. The trap images 104 are images of software of ECUs that are to be hardened. See on [0104-0107] the virtual machine 306, being a honeypot, may be configured with security and monitoring features so that, when a malicious attack is performed on the virtual machine 306, that attack is trapped or “sandboxed” within the virtual machine 306. Operations of the attack such as system calls, network communication, and the like can be recorded by the virtual machine 306. i.e., virtual machine with function of ECUs. Further teaches an attack on the library 308 may attempt to use a buffer-overrun exploit to initiate execution of arbitrary code within the virtual machine 306. When this attack is attempted (whether successful or unsuccessful) the virtual machine 306 can record actions taken. In some cases, elements of the virtual machine are inaccessible to the environment in which the libraries 308 execute, and one or more supervisors in those elements monitor the actions in the environment. See on [0123] teaches the trap image server system 204 can monitor all network traffic to and from the ECUs. See on [0130 and 0135] teaches the hosting system can monitor network traffic and the state of the VM for events that match a rule-set of states indicative of a malicious attack);
and manages first reliability indicating a security protection state of the first monitoring target, the first reliability being a variable capable of taking at least two levels each of which indicates a degree of the security protection state of the first monitoring target (HAREL on [0174] teaches confidence value or metric that indicates a variable level of certainty that the information about a particular sign, road, restriction, limit, location, or other attribute or object is accurate. See on [0179 and 0192-0194] teaches , a newly added landmark may be given a low confidence level, such as 1%, 5%, or 10%, to prevent the information from being used to alter vehicular behavior until the landmark can be confirmed and high confidence level. i.e., at least two levels low and high indicating degree of security protection);
and the monitoring device: performs integrity check (HAREL on [0180-0181] teaches If at 1140 the database query indicates that data or a record exists for the driving assistance information, then at 1160 another determination is made. If information from the database and the information extracted from the sensor data are substantially the same, then the confidence level associated with the existing database information is increased. Further teaches If, at 1140, the information from the database and the information extracted from the sensor data are not substantially the same, then the confidence level associated with the existing database information is decreased at 1170. For example, the 70% confidence level associated with the accuracy of the speed limit of the road near the landmark 860a can be reduced to 69%, 68%, 60%, or any other appropriate decreased value);
and changes the current level among the at least two levels to diminish the degree of the security protection state indicated by the first reliability after an elapse of predetermined time from time at which the integrity check has been performed (HAREL on [0180-0181] teaches If at 1140 the database query indicates that data or a record exists for the driving assistance information, then at 1160 another determination is made. If information from the database and the information extracted from the sensor data are substantially the same, then the confidence level associated with the existing database information is increased. Further teaches If, at 1140, the information from the database and the information extracted from the sensor data are not substantially the same, then the confidence level associated with the existing database information is decreased at 1170. For example, the 70% confidence level associated with the accuracy of the speed limit of the road near the landmark 860a can be reduced to 69%, 68%, 60%, or any other appropriate decreased value i.e., since confidence level is decreased after integrity check is made therefore ‘predetermined time’ is implied).
Although HAREL teaches performing integrity check, but fails to explicitly teach performing integrity check of software, however GALULA from analogous art teaches
and the monitoring system: performs integrity check of software of the first monitoring target (GALULA on [0086-0088] teaches if an embodiment fails to authenticate executable code then it may be assumed an attack is in progress or was identified and high confidence level or value may be associated with the event or detection, e.g., causing embodiments to take preventive measures as described. However, if minor deviation from an expected behavior or flow is detected then a low confidence level may be associated with the detection, e.g., causing an embodiment to only report the detection).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of GALULA into the teaching of HAREL by performing integrity check of software. One would be motivated to do so in order to detect and prevent of exploitation of components connected to an in-vehicle network (GALULA [0001]).
Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over HAREL et al (hereinafter HAREL) (US 20230275877) in view of GALULA et al (hereinafter GALULA) (US 20200216097) and further in view of Cain JR. et al (hereinafter Cain) (US 20220216995).
Regarding claim 2 the combination of HAREL and GALULA teaches all the limitations of claim 1 above, the combination fails to explicitly teach ECU operating trusted execution environment, however Cain from analogous art teaches wherein the integrated ECU further operates a trusted execution environment (TEE), and the integrity check is performed on the TEE (Cain on [0050-0052] teaches the server 110 may send the temporary key along with upcoming event information to the transport TEE 130. At block 131, the transport TEE 130 may confirm the upcoming event information based on reading from the transport ECU and/or transport sensors. If the upcoming event is confirmed at block 133, the temporary key is stored on the transport at block 134. Otherwise, the process ends and additional functionality is not requested by the transport from the server 110. At block 135, the TEE 130 may modify the temporary key based on agreement with the server 110. Then, at block 136 the TEE 130 may acquire current data from the transport ECU and/or transport sensors).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Cain into the combined teaching of HAREL and GALULA by ECU operating trusted execution environment. One would be motivated to do so in order securely process sensitive task and archive secure encrypted communication exchange (Cain [0050-0052]).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Kim et al (US 20190268321) is directed towards an electronic device capable of easily accessing a target service or a target external device through multi-factor authentication.
SEGAWA (US 2017009920) is directed towards monitoring a communication parameter of communication performed between the gateway and a newly-connected communication node that is newly connected to the network system, determining reliability of the newly-connected communication node based on whether the monitored communication parameter complies with a predetermined communication condition, and changing the predetermined communication condition based on the determined reliability.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOEEN KHAN whose telephone number is (571)272-3522. The examiner can normally be reached 7AM-5PM EST M-TH Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached at (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MOEEN KHAN/Primary Examiner, Art Unit 2436
Prosecution Insights